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Thank you Chairman Ratcliffe, Chairman Hurd, Ranking Member Richmond, Ranking Member 
Kelly, and Members of the Subcommittees for engaging in this important discussion. I appreciate 
the opportunity to appear before you today. 


Although I am new to the U.S. Office of Personnel Management (0PM), having only been at the 
agency for about six months, I am pleased with the transformative activities that my office has 
already undertaken. Since arriving, I have worked with senior staff to identify key priorities to 
drive our efforts and to build governance processes to support our work. We recognize that 
0PM is an organization made up of terrific people with a mission to serve not just the Federal 
workforce, but also the American people. To successfully meet this important mission, 0PM 
will continue to bring to the Federal government agile, modern Information Technology (IT) 
solutions that reflect its needs and leverage forward-leaning capabilities. The Department of 
Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Program is an important 
element to assist us with this goal. 


As the former Chief Information Officer (CIO) for the State of Maryland, and with over 20 years 
of private sector executive experience, I look at 0PM’s current posture through both a private 
and public sector viewpoint. There are two main points that I think are critical to the context of 
the conversation we are having today regarding CDM. First, we must understand that CDM is a 
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broad approach and is continuously evolving. Every day the malieious aetors around the globe, 
who are equivalent to military grade adversaries, are adapting. Therefore, as Federal agencies, 
we need to have the flexibility to adapt. Second, we must strive to have CDM and similar future 
programs, reduce the time required for the public sector to procure technological solutions 
compared to the time it takes in the private sector, which contributes to a gap in preparedness. 

As an entrepreneur and small business owner in the private seetor, I had the flexibility to procure 
and implement a solution to mitigate a zero-day threat or vulnerability immediately; however, as 
the CIO for a Federal ageney, I do not have that same flexibility to get needed tools on our 
network in real-time. While CDM has eertainly reduced the proeurement timeframe for 
eyberseeurity technology, a goal should be to eontinue to enhanee the ability for ageneies to 
procure what they need to maintain the appropriate cyber defenses as quickly as possible. The 
faster agencies can procure technology, the faster technology can be implemented - which gives 
agencies the best chance to stay ahead of possible threats that eontinue to evolve and beeome 
more sophistieated. 


Since coming to 0PM, I have developed a vision of the top five priorities the CIO must address 
to successfully support 0PM. Those priorities are; 1) eontinue to fully mature the Risk 
Management Program by building on OPM’s eyberseeurity success to date, applying new 
technologies and techniques, and implementing the best practice recommendations from the 
Department of Homeland Seeurity, the Government Accountability Office, and OPM’s Inspector 
General, as appropriate; 2) work with stakeholders to provide new and innovative customer 
experiences through the latest technology; 3) utilize technology to reduce the investigation 
inventory; 4) ereate IT finaneial transparency through implementation of a standardized 
teehnology with the ability to develop a sustainable, transparent, and repeatable financial model; 
and 5) align the CIO organization to better meet the needs of 0PM by providing a foundation for 
current and efficient services that will last longer than the lifespan of a server and that can be 
leveraged for the long term. 


CDM supports these priorities and 0PM will eontinue to build off of its suceessful 
implementation of CDM’s Phase 1 and the continued implementation of Phase 2. As you may 
know, 0PM is one of the first agencies to fully implement CDM, and we have benefited from the 
enhanced visibility into who and what is on our network so that we ean more aeeurately and 
rapidly respond to potential risks. 0PM completed implementation of CDM Phase 1 with the 
CDM dashboard fully populated in the spring of 2017 using the CDM sensors we’ve been 
deploying sinee 2015. This phase focuses on managing “what is on the network,” to inelude the 
management and eontrol of deviees, software, seeurity eonfiguration settings, and software 
vulnerabilities. For 0PM, this has meant gaining greater insights into connection points within 
our network, which provides us with the ability to better regulate devices conneeting to the 
environment as well as a better understanding of what should actually be on the network. In 
addition, 0PM made use of CDM teehnologies to identify and strategieally resolve potential 
vulnerabilities, whieh has resulted in better overall risk management and response. 
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0PM is on track to complete implementation of CDM Phase 2 in the summer of 2018, ahead of 
the scheduled fall 2018 target for the Federal government. Phase 2 focuses on the management 
and control of user access privileges. Phase 2 has allowed 0PM to standardize the access of 
systems so that the management of all accounts is unified and controlled through an agency 
governance process. Redueing the volume and seope of user access also helps 0PM identify 
anomalies related to possible insider threat aetivities and prevent data loss. Aeeess for privileged 
users, which are users that have some administrative access to systems or data, is being enforced 
through a separate login mechanism. Our next step toward completion of CDM Phase 2 is to 
activate additional two-factor authentication enforcement features. This is espeeially eritical in 
the context of the events of 2015 beeause it will add additional two-faetor authentication 
requirements to address longstanding audit findings. 


0PM has been suecessful in the implementation of Phase 1 and 2 of CDM due to the alignment 
of the technology available through CDM with agency technology strategy and life eycle 
management. The use of CDM has set the stage for 0PM to move into a Continuous Monitoring 
approach that enhances 0PM’s ability to manage its systems and continually evolve to secure its 
systems in near real-time. 


I am also pleased with how CDM Phase 3 has evolved from offering very specific software or 
eapabilities within eertain National Institute of Standards and Teehnology eontrol families to a 
“buffet” style offering with software and capabilities supporting the neeessary agility that 
Federal agencies require to meet the unique needs and goals related to their specific operations. 
Looking forward, 0PM will increasingly leverage CDM for our procurement needs to meet new 
ehallenges. We will prioritize our risk management needs and align the new teehnologies 
offered by CDM to meet our highest risks in a eontinuous effort to reduce vulnerabilities. 


I see Phase 4 of CDM transitioning into an ongoing and continuous monitoring effort that will 
allow 0PM and other ageneies to keep paee with malicious actors. For agencies to be 
sueeessful. Phase 4 should allow the Federal government the ability to move as quiekly as new 
technologies and threats evolve. This can be accomplished through an offering of tools and 
services that meet the specific goals and needs of agencies and through agile procurement 
eapabilities that allow agencies to ehange and adapt their tools in real-time. Following best 
practices in government proeurement, eoupled with a continued effort to survey what capabilities 
are available throughout the private sector, will help keep the Federal government informed and 
on pace. For CDM to be successful in the long term, it will need to continue to evolve, including 
the use of new ideas and eoneepts, sueh as the use of Artifieial Intelligenee (AI), for immediate 
identifieation, response, and updates to threats. Due to the asymmetric nature of attacks, we also 
need to consider security risks related to the increasing use of AI by our adversaries across all 
sectors and how that may impact the kinds of cyber defense and tools we need. 


I aecepted the position of CIO at 0PM because I truly believe in the 0PM mission and beeause it 
is an agency in which great success can be achieved and demonstrated. The people at 0PM are 
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dedicated, new technology is being implemented, and the agency is committed to supporting all 
the Federal employees who devote their lives to serving the American people. Although there 
may be bumps in the Federal government’s journey to keep pace with potential cyber threats, I 
am confident we have an incredible opportunity to make strides towards a successful future. I 
look forward to working with the Members of these Subcommittees to continue our efforts of IT 
modernization and the evolution of the CDM Program so that it will remain a successful resource 
for Federal agencies. 


Thank you for the opportunity to testify before you today. I look forward to answering any 
questions you may have. 
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